Privacy, like beauty, is in the eye of the beholder, and at the American Health Information Management Associations annual convention this week, privacy in its varied interpretations was a recurrent theme, including a day-long, privacy institute the day before the show officially opened for its three-day run in Philadelphia.
I cant tell you any more about the institute, because it was, well, private. For AHIMA members only, it was probably pretty interesting, given the organizations longstanding reputation as an advocate for patient privacy and its involvement (through an affiliate organization) in recent years as a government contractor on several projects with direct and indirect privacy implications.
Once the convention got under way, though, there were several, more readily accessible educational sessions devoted to privacy and one general session address. One was a panel discussion, provocatively titled, Tales from the CryptHIPAA in the Real World. The convention guide said of the session: HIPAA is not for the faint of heart. Practical solutions to real problems that can bring a potential nightmare to a satisfactory end.
As billed, there were plenty of Health Insurance Portability and Accountability Act horror stories from the four panelists, who all work in the trenches as medical records managers for healthcare organizations. They also made mention of the recent, highly publicized breach of actor George Clooneys medial records by hospital workers in New Jersey, which, according to an Associated Press account, involved between 27 and 40 workers, including physicians, who were suspended after illegally viewing his medical records.
Perhaps there were some Clooney fans on the panel who felt empathy with the punished, because they conducted a theoretical discussion about whether a young and foolish healthcare worker, fired for a privacy violation, such as unauthorized peeking, should ever be rehired. If, for example, the panelists pondered, the person had been sacked for looking at a record, and then, after a suitably long period of penitence, say, completing a nursing training program, wanted to resume a career in healthcare, should the earlier indiscretion be forgiven? The panelists left the question unanswered.
Pam Dixon, head of the San Diego-based World Privacy Forum, was in the audience with me for this session and we talked about it later. Dixon, herself a devout privacy advocate, gave a general session presentation on medical identity theft. She said she was struck with, and pleased by, the passion the panelists evidenced for privacy protection, how vigilant they were and how seriously they took their responsibilities. Later, Dixon, in a talk to attendees, said AHMIA would be just the group to take the lead in raising public awareness of medial identity theft and crafting an industry response.
Perhaps they neednt have bothered. The Clooney episode has clearly entered the zeitgeist. As I was driving to work the morning after the AHIMA show ended, a local Chicago radio personality commented on the actors situation and then on broader healthcare privacy threats. Employers, he noted, are asking workers to sign up for personal health records, but from a privacy standpoint, he said it probably wasnt such a bright idea.
In addition to its focus on privacy, AHIMA used the convention to launch its own national public relations campaign in support of PHR adoption. And that reveals an interesting dichotomy in the associations outlook.
AHIMA also supports a uniform national privacy law, a stance a good number of privacy advocates find disturbing, since under the 1996 HIPAA statute, states are allowed to keep their privacy rules as long as they are more stringent than the federal ones.
And in 2005 AHIMAs Foundation of Research and Education released a pair of reports it compiled under a $483,000 contract from the Office of the National Coordinator for Health Information Technology at HHS. They concluded that healthcare IT systems using automated coding products and other, even more sophisticated software, should be enlisted in the fight against medical fraud, which, depending on how they are implemented, could raise serious privacy concerns. Computerized tools, such as artificial neural networks, could predict fraud based on claims data in an EHR. These tools should become an integral part of the federally proposed National Health Information Network, the AHIMA foundation said.
AHIMA fellow Bonnie Cassidy was a senior research associate on the contract project, whose report stated the use of advanced analytics software built into the NHIN is critical to fraud loss reduction.
A controversial, follow-up study, based on AHIMAs initial work, also funded by HHS, was released by the Research Triangle Institute this July. That report received decidedly mixed reviews, not only from privacy gurus, but also from some IT vendors and at least one medical society officer. At issue was the recommendation that the government, through the federally supported Certification Commission for Healthcare Information Technology, induce IT vendors to build into physician EHR systems electronic back doors. Payers could then use the passageways to peruse clinicians and patients medical records to look for possible fraud.
The recommended access would include the ability to review the records of a patient over a period of time, not just to verify care for a specific claim.
Cassidy was a panelist during the certification commissions Town Hall meeting at AHIMA. Now a member of the commission staff, she is the strategic lead on a panel of experts looking into developing commission testing criteria for IT systems in the areas of privacy and compliance.
The certification commission panel is reviewing the AHIMA foundations fraud-fighting recommendations as part of its environmental scan of documents on privacy and compliance issues. Interestingly, one of the items in the scan is the Care Record Guarantee produced by the Care Record Development Board, which sets the rules that govern information held in the British National Health Services computerized clinical information network. According to a certification commission summary, the guarantee allows patient control over whether patient data can be shared, allows patients to identify only parts of a record to be shared and selectively limits what will be shared. It also requires a complete audit of any access to a patients record. In the U.S., the privacy subcommittee of the National Committee on Vital and Health Statistics is considering recommendations to the HHS secretary, a recent draft of which contains similar elements of so-called granular patient access controls.
Such privacy guarantees would likely clash with AHIMA recommendations granting payers access to longitudinal patient records for fighting fraud. All of which puts Cassidy, the AHIMA fellow, as well as AHIMA itself, and CCHIT, in an unenviable position.